dong@umiacs.umd.edu (Dong Chen) (05/16/91)
This seems a bug for me.
After I change my LOGNAME to somebody else's name,
I can actually read all his mails using "Mail".
While I cannot read /usr/mail/foo directly.
here is what it's like:
%setenv LOGNAME foo
%Mail
Mail version 5.2 6/21/85. Type ? for help.
"/usr/mail/foo": 2 messages 2 unread [Read only]
>U 1 *******
U 2 *******
& q
%more /usr/mail/foo
/usr/mail/foo: Permission denied
%ls -l /usr/mail/foo
-rw-rw---- 1 foo mail 2338 May 9 14:02 /usr/mail/foo
After I changed the mode to 600, others cannot read the mail.
But since the default one is 660, I don't know if there are potential problem
to change it to 660 ?wicks@DCDMJW.FNAL.GOV ("Matthew J. Wicks") (05/16/91)
>>Date: 16 May 91 02:02:38 GMT >>From: Dong Chen <umiacs.umd.edu!dong@mimsy.umd.edu> >>Organization: UMIACS, Univ. of Maryland, College Park, MD 20742 >>Subject: Is this a mail bug ? >>Message-Id: <34541@mimsy.umd.edu> >> >>This seems a bug for me. >>After I change my LOGNAME to somebody else's name, >>I can actually read all his mails using "Mail". >>While I cannot read /usr/mail/foo directly. >>here is what it's like: >> >>%setenv LOGNAME foo >>%Mail >>Mail version 5.2 6/21/85. Type ? for help. >>"/usr/mail/foo": 2 messages 2 unread [Read only] >>>U 1 ******* >> U 2 ******* >>& q >>%more /usr/mail/foo >>/usr/mail/foo: Permission denied >>%ls -l /usr/mail/foo >>-rw-rw---- 1 foo mail 2338 May 9 14:02 /usr/mail/foo >> >>After I changed the mode to 600, others cannot read the mail. >>But since the default one is 660, I don't know if there are potential problem >>to change it to 660 ? This bug was discovered last October and a fix has been provided by SGI. I am attaching an old posting from this news group giving details of how to get the fix. Matt Wicks Fermi National Accelerator Laboratory wicks@fnal.fnal.gov 708-840-8083 -----------------------------------OLD POSTING------------------------------ >From info-iris-request@vmb.brl.mil Thu Oct 11 18:56:33 1990 Received: from [131.225.102.1] by dcdlaa.fnal.gov (5.52/1.34) id AA14729; Thu, 11 Oct 90 18:56:33 CDT Date: 11 Oct 90 19:37:35 GMT >From: Superuser <sgi!root@ucbvax.berkeley.edu> Subject: WARNING - Security hole in IRIX 3.3 /usr/sbin/Mail Message-Id: <71861@sgi.sgi.com> Sender: info-iris-request@BRL.MIL To: info-iris@BRL.MIL Status: R --- WARNING --- There is a security hole in IRIX 3.3 and 3.3.1 /usr/sbin/Mail. Due to the nature of this problem, I shall provide no further details. For the benefit of those with immediate security concerns, a fixed /usr/sbin/Mail binary has been made available for anonymous ftp from SGI.COM ([192.48.153.1]). The fixed binary can be found at: sgi/Mail/Mail under the ftp directory. Note that this binary must be installed with the same group (mail) and permissions (2755) as your existing 3.3 or 3.3.1 /usr/sbin/Mail. Apologies for any inconvenience. Robert Stephens Silicon Graphics Inc. Mountain View, CA roberts@sgi.com
silvert@cs.dal.ca (Bill Silvert) (05/17/91)
In article <9105161326.AA20522@dcdmjw.fnal.gov> wicks@DCDMJW.FNAL.GOV ("Matthew J. Wicks") writes: >am attaching an old posting from this news group giving details of how to >get the fix. > >-----------------------------------OLD POSTING------------------------------ >>From info-iris-request@vmb.brl.mil Thu Oct 11 18:56:33 1990 >Date: 11 Oct 90 19:37:35 GMT >>From: Superuser <sgi!root@ucbvax.berkeley.edu> >Subject: WARNING - Security hole in IRIX 3.3 /usr/sbin/Mail So the fix was posted on October 11? My PI was shipped by SGI on Feb. 12 of this year and has the same problem. When will SGI ship the fixed version of Mail? -- William Silvert, Habitat Ecology Division, Bedford Inst. of Oceanography P. O. Box 1006, Dartmouth, Nova Scotia, CANADA B2Y 4A2. Tel. (902)426-1577 UUCP=..!{uunet|watmath}!dalcs!biome!silvert BITNET=silvert%biome%dalcs@dalac InterNet=silvert%biome@cs.dal.ca
roberts@nimrod.wpd.sgi.com (roberts) (05/17/91)
> So the fix was posted on October 11? My PI was shipped by SGI on Feb. > 12 of this year and has the same problem. When will SGI ship the fixed > version of Mail? I have just verified that the fixed version shipped with IRIX 3.3.2. It must be the case that your machine is running IRIX 3.3.1, you should check to be sure. In any event, a fixed binary can be ftp'ed from sgi.com as described in the October 11 posting. Feel free to contact me if you have any further problems. - Robert Stephens Silicon Graphics Inc.